Mastodawn

@aral The laws being proposed and passed requiring providing age brackets to apps and websites are a horrific invasion of privacy for minors putting their safety at risk. It not only enables targeting minors in harmful ways particularly for the lowest age brackets but also leaks their birth date to apps and websites on the day they move into the next age bracket. One of the biggest lobbyists for these OS level age verification laws is Meta which just lost a court case for exploiting minors.

Show thread

hupf 9h ago

@GrapheneOS
Yep that's true. I really didnt (and dont yet). Thanks for the learning opportunity. Im gonna try and change that

Show thread

hupf 13h ago

@GrapheneOS
I also want to be up-front about it and disclose that I do know people involved in the Warden library.

Show thread

hupf 13h ago

@GrapheneOS

Is there an in-depth blogpost that lays how you define root-based vs pinning-based attestation?

I'm trying to understand the argumentation why root-based attestation is considered bad and why pinning-based attestation is better.
I've been going through the auditor app's about page and some of your comments in the source code, but I'm failing to understand the difference between root-based vs pinning-based attestation, so far.

From my PoV Auditor just uses the standard Android app attestation (in a neat way). Is there anything specific that libraries like Warden do differently architecturally, something that you consider being problematic?
Or do the approaches distinguish themselves, mostly by the threat model instead?

Tbf, I really just started looking more deeply into how attestation works on Android the other night, so please excuse my ignorance. I just can't seem to find a good resource that explains the differences between the approaches.